Blog

RSA Conference is right around the corner, and I’m excited to actually be able to see some talks this year. I’m on a panel with Dave Navetta and Serge Jorgensen on Tuesday covering the Dark Side of a Payment Card Breach (LAW-107, Room 131, 2:40pm). I am sure if you are there, we will bump into each other somewhere along the way!

Soft Landing, by moonjazz

One of the topics that I want to explore with other security folks while I am there is a shift to hardware-focused exploits whereby you bypass software and focus on firmware to control machines. It’s not a new concept and has been seen in both theoretical and actual attacks on systems. But as software vulnerabilities are closed, the bad guys have to come up with new ways to get into systems. It doesn’t have to be super creative or advanced to be effective. It could be as simple as tricking a device to “update” its firmware with one you have crafted, thus giving you full control over the device.

This becomes particularly critical when you look at devices that have simple but important functions and are rarely touched by technicians. Things that are out in the field like smart meters, pump controllers, payment terminals, and traffic lights. Some people might choose highly technical and specialized attacks that include drilling tiny holes and snaking wires into the hardware, but if you can figure out how to replace its firmware with yours you can effectively scale the attack remotely.

The outcomes vary greatly from nuisance to data theft to cyber-terrorism. Bricking my DVD player is a nuisance, shutting down a town’s water supply is an entirely different matter. If I can compromise a peripheral hardware device, what does that get me? Am I just messing around with a display device? Or am I in the system at a base layer that invalidates software security controls?